What was Safe Harbor, and what happened?

EU privacy law has long forbidden companies from transferring citizen data outside of the its borders, unless the transfer is to a country deemed to have “adequate” privacy protection.

The US/EU “Safe Harbor” agreement of 2000 enabled such transfers to take place, allowing tech companies in the US to self-certify that they would protect data in line with EU principles, as well as providing reassurance from the US government that our data would be kept safe.

In October 2015, the European Court of Justice took issue with the USA’s treatment of EU data and declared the agreement to be invalid due to the lack of protection afforded, “in light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services”.

What does this mean if my business transfers data outside of the EU?

Although the agreement itself is invalid, you can relax for a moment – this just means is that you cannot rely on automatic self-certification as was provided by Safe Harbor.

There are several other ways to stay compliant with EU privacy law:

1.) Get “freely given, specific, informed and unambiguous” consent from customers

If you obtain consent from your users to transfer their data outside the EU, you may do so – provided such consent is “freely given, specific, informed and unambiguous”. Of course, such terms are ambiguous themselves by their very nature, so it’s unsurprising this isn’t the most popular option for prudent EU companies.

2.) Agree model contracts with suppliers

The EU has published model contracts that allow data to be transferred to US parties without the parties falling foul of EU data law. Predictably, these are fairly onerous on the US party (requiring HTTPS to be available), notification upon receipt of a warrant, etc – and they’re not very flexible, either. Fortunately, Cloud providers like Salesforce, Google Apps and our own hosting provider Azure, will all agree to model clauses.

3.) Agree binding corporate rules (BCRs) between multi-national companies

Although not relevant for smaller companies, BCRs allow multi-national companies to share data between countries. These need to be approved by each European jurisdiction in which the company relies on them, so clearly this is not an easy option, although it is a workable long term solution for large companies.

4.) Keep your data in the EU!

Sometimes the most obvious solution is the best – your business can avoid the need for any of the above measures simply by keeping data inside the EU. With a new UK Azure datacentre on the way in 2016 (to add to the existing site in Ireland) it’s clear Cloud providers are beginning to take EU data sovereignty seriously.

Eclipse Financial Systems is familiar with the challenges presented by data protection law and can help your business stay compliant – whether your data needs to be hosted in the EU, US or Canada, just contact us to see how we can help.